How severe is CVE-2022-24884?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2022-24884?

This is classified as CWE-347, which is a common weakness in software security.

CVE-2022-24884

HIGH Year: 2022

CVSS v3 Score

7.5

High

CVSS v2 Score

5.0

Medium

Weakness Type

CWE-347

View all →

Vulnerability Description

ecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify). `ecdsa_verify_[prepare_]legacy()` does not check whether the signature values `r` and `s` are non-zero. A signature consisting only of zeroes is always considered valid, making it trivial to forge signatures. Requiring multiple signatures from different public keys does not mitigate the issue: `ecdsa_verify_list_legacy()` will accept an arbitrary number of such forged signatures. Both the `ecdsautil verify` CLI command and the libecdsautil library are affected. The issue has been fixed in ecdsautils 0.4.1. All older versions of ecdsautils (including versions before the split into a library and a CLI utility) are vulnerable.

CVE-2002-1706

HIGH

CVSS:7.5(High)

Cisco IOS software 11.3 through 12.2 running on Cisco uBR7200 and uBR7100 series Universal Broadband Routers allows remote attackers to modify Data Over Cable Service Interface Specification (DOCSIS) ...

CWE-3472002

CVE-2005-2181

HIGH

CVSS:7.5(High)

Cisco 7940/7960 Voice over IP (VoIP) phones do not properly check the Call-ID, branch, and tag values in a NOTIFY message to verify a subscription, which allows remote attackers to spoof messages such...

CWE-3472005

CVE-2005-2182

HIGH

CVSS:7.5(High)

Grandstream BudgeTone (BT) 100 Voice over IP (VoIP) phones do not properly check the Call-ID, branch, and tag values in a NOTIFY message to verify a subscription, which allows remote attackers to spoo...

CWE-3472005

CVE-2015-7336

HIGH

CVSS:7.5(High)

MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A vulnerability was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and pr...

CWE-3472015

CVE-2016-1000338

HIGH

CVSS:7.5(High)

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up th...

CWE-3472016

CVE-2016-1000342

HIGH

CVSS:7.5(High)

In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up ...

CWE-3472016

CVE-2022-24884

Vulnerability Description

Related Vulnerabilities

CVE-2002-1706

CVE-2005-2181

CVE-2005-2182

CVE-2015-7336

CVE-2016-1000338

CVE-2016-1000342